Notes on working with BIND v9:
RNDC: Making the damned this work!
----------------------------------
First off, it won't work untill you fix /etc/rndc.conf,
make some changes to /etc/named.conf, and stop/restart named.
Only then will it work. You'll know its working because you'll
see the following startup message:
command channel listening on 127.0.0.1#953
First, here's what /etc/rndc.conf looks like:
-----------------------------------------------------------
key rndc_key {
algorithm "hmac-md5";
secret "nCzkGvxO65EHAoi9kpn5ww==";
};
options {
default-server localhost;
default-key rndc_key;
};
server localhost {
key rndc_key;
};
----------------------------------------------------------
This is fairly self explanitory. The only
foggy point is the hmac-md5 secret creation. To create
it move to a temp directory and run the following:
/usr/local/sbin/dnssec-keygen -a hmac-md5 -b 128 -n user rndc
This'll output two files named: "Krndc.+157+33861.key" and
"Krndc.+157+33861.private", or something along thoughs lines.
The secrets are the same in both files, simply cut-and-paste
the secret into the secret line of the key statement. Once
that is done you can wack the two key files.
Next, you need to mod /etc/named.conf. Add the following:
-----------------------------------------------------------------
key rndc_key {
algorithm "hmac-md5";
secret "nCzkGvxO65EHAoi9kpn5ww==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
acl localhost { 127.0.0.1; };
-----------------------------------------------------------------
Notices that the "key" section is straight outta /etc/rndc.conf.
The "controls" section will contian the IP address, and allow is the
defines ACL for access. That, therefore requires an ACL.... duh.
Obviously, when defining "keys" you need to point to the key name.
The changes in /etc/rndc.conf make alot of sense. Obviously,
to control the nameserver you'll need a key (check), you'll need to
define what nameserver your going to talk to and which key you'll use
for it. (check) Now, the optional part is in specifying multiple servers to
work with. For each server you would add a new "server" section.
In our previous example it could have been omitted. You can go the other
way too, to exclude the "options" section and rely on the server clause only,
but since you hadn't defined a "default-server" you'd have to use rndc with
a "-s server" option every time. It's best to just spec a default server,
and defining the server in its own section is just good habit.
Here is another RNDC setup on a diffret machine:
-------------------/etc/rndc.conf-----------------------------
key rndc_key {
algorithm "hmac-md5";
secret "QrXc3DTpzUVf80Y1YAj7NQ==";
};
options {
default-server 10.0.0.1;
default-key rndc_key;
};
---------------------------------------------------------------
...and...
------------------/etc/named.conf------------------------------
acl localhost { 127.0.0.1; };
options {
directory "/etc/namedb";
pid-file "named.pid";
};
//----------RNDC STUFF----------
// Control Statements for RNDC Control
controls {
inet 10.0.0.1 allow { localhost; } keys { rndc_key; };
};
// Key for RNDC
key rndc_key {
algorithm "hmac-md5";
secret "QrXc3DTpzUVf80Y1YAj7NQ==";
};
//------------RNDC STUFF---------
// Root server hints
zone "." {
type hint;
file "db.cache";
};
// Reverse Mapping
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
zone "cuddletech.com" {
type master;
file "db.cuddletech";
};
--------------------------------------------------------------
Notice in the second case outlined, I've omited the
"server" statement from /etc/rndc.conf. This was because I
didn't want to use loopback, and I'm not sure how the rndc.conf
file resolves names, so I wanted to spec an IP. Unfortuntely,
the "default-server" statement will except an IP, while the
"server" statement will not.
Next we see a change of the "inet" clause in the controls
statement of /etc/named.conf. This is what places the RNDC server,
so instead of being on 127.0.0.1, like before, it now sits on 10.0.0.1.
BTW, testing shows that the "allow-query" option has NO effect
of the RNDC setup.
On the issue of "how she resolves names". I'd imagine
via DNS itself. Note that "localhost" is a special case, handled
by the loopback map. "localhost" is damned near idiot proof. However
to use a non-"localhost" server statement I'm thinking that you
can't use the alias, but must use the real name.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RNDC: Network Management.
To raise the bar abit, you might wanna access
rndc remotely. To do this you need to do the following:
a) Edit the client side /etc/rndc.conf file.
b) Check perms in server side /etc/named.conf control statement.
First, make sure that in your /etc/named.conf's "control" statement
that the "allow" allows the client. If it does, then your done on the
server. If your not, check the acl's. Also, FYI, make sure that you
aren't serving RNDC on the localhost, but on an actual interface,
as noted earlier.
Now, on the client, add lines similar to these:
----------------------------------------------
//Nexus6 RNDC Control
key rndc_key {
algorithm "hmac-md5";
secret "QrXc3DTpzUVf80Y1YAj7NQ==";
};
server nexus6 {
key rndc_key;
};
---------------------------------------------
I've found that the name of the key IS significant. If you created
the key as "..keygen... -n user rndc" then you need to call the key
"rndc_key", if you called it "nexus6" then its "nexus6_key". Failure
to follow this guideline will get you a message like this:
bash-2.02# rndc -s nexus6 stats
rndc: send remote authenticator: permission denied
bash-2.02#
____________________________________________________________________________
!!!NOTE: Therefore, always give your keys significant names, not generic.!!!
----------------------------------------------------------------------------
You can see from the above example syntax that accessing
a remote server via rndc requires a "-s server" each time you make
a request. The servername must be resolvable via DNS before trying any
of this.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Add:
-Signing Zones
-DNSSEC
-More enc stuff....
Signing Zones:
1) Create two keys for the zone
dnssec-keygen -a RSA -b 1024 -n ZONE cuddletech.com
dnssec-keygen -a RSA -b 1024 -n ZONE cuddletech.com
2) Create a keyset from thoughs
dnssec-makekeyset -t 3600 Kcuddletech.com.+001+34959 Kcuddletech.com.+001+39233
3) Sign the key
dnssec-signkey keyset-cuddletech.com. Kcuddletech.com.+001+34959 Kcuddletech.com.+001+39233
4) Add the keys to the Zone file, AFTER the $TTL is defined.
$INCLUDE Kcuddletech.com.+001+34959.key
$INCLUDE Kcuddletech.com.+001+39233.key
5) Sign the zone
dnssec-signzone -o cuddletech.com db.cuddletech
[ -o zonename, this is the name that is listed in the SOA]
6) Modify the named.conf for the zone,
from db.cuddletech to db.cuddletech.signed
Done.